Comment by devilsdata

Comment by devilsdata 9 days ago

5 replies

View on Hacker News

Email magic links are inconvenient for the user, but they're not dumb. They're a pretty good option for a small project by a developer doesn't want to implement a whole auth flow, or pay for an OAuth provider.

It's a tradeoff. If you roll your own password flow, you need to add MFA to be secure. The complexity of what you need to build and maintain goes up.

A simple magic link flow for an app like this, where you are really only likely to log into it once per project you start.

Personally though, I also use a password manager. And I am annoyed enough by email magic links, that any of my personal projects will at least have a passkey implementation.

So I agree they're annoying. But they're definitely not "dumb". They're a tradeoff. This developer has chosen his own time over user convenience; which is a common tradeoff for small developers.

LoganDark 9 days ago

The problem with magic links is that the secret is sent with each login attempt. It's just like SMS verification codes - an attacker that controls the email address, or the phone number, can log right in. In this case, probably without even resetting a password. Plus, with no way to verify the account owner other than the email address, if the email address is lost or changed, the account's as good as gone.

Also yes they're super annoying for the user too. It's inconvenient and less secure.

Passkeys are awesome, yeah.

Reply View 4 replies
  • bobbiechen 9 days ago

    As opposed to username/password, where... An attacker that controls the email address can log right in.

    Unless you mean to say I should set up 2FA for my CSS theme variable helper website?

    Passkeys and OAuth/social login are great, but everyone has an email. And I don't think any mainstream site supports only passkey as an auth method (and no other way).

    Reply View 2 replies
    • tonyhart7 9 days ago

      "Passkeys and OAuth/social login are great, but everyone has an email"

      big tech is only allowing Social login from another big tech anyway, they use whitelist and banning everyone that dont use that because they cant guarantee untrusted "third party"

      Reply View 0 replies
    • LoganDark 8 days ago

      "Everyone has an email" is like "everyone has a phone number": wrong and bad. At least email addresses aren't difficult to get...

      Reply View 0 replies
  • devilsdata 8 days ago

    We are on the same page about magic links. Email is also not a super-reliable medium of communication. Email can arrive straight into the junk mail, late, or even never. I think magic links should be strongly discouraged for serious projects, businesses, and government. Passwords and application-based MFA (not SMS or Email MFA) or webauthn/passkeys are much better.

    This whole discussion started when @meindnoch wrote ">Sign in or create an account with your email. Into the trash it goes.".

    I think magic links are acceptable for a small solo developer project. Expecting a solo developer so shoulder the burden of rolling their own auth, paying for an auth service, or self-hosting an containerised auth-service and wiring their application to it is a bit much for a tiny project like this.

    Anything more than a small solo project should graduate to a better solution- I hope we can all agree with that.

    Reply View 0 replies